The Collision Industry Conference (CIC)’s Data, Access, Privacy & Security Committee on Jan. 19 discussed with two attorneys the importance of establishing end-user license agreements with vendors and customer disclosures as best practices for shops when it comes to protecting customer personally identifiable information (PII).
Lawrence H. Pockers, a Philadelphia-based attorney with Duane Morris, said PII disclosure opens shops up to privacy liability.
“The unauthorized disclosure of a customer’s PII, whether intentional or not intentional, doesn’t factor into the analysis here, at least with respect to the comprehensive data privacy statutes that have been passed to date,” he said. “And most of the bills that are pending in legislatures today create a significant liability risk for repair shops.”
A couple of class action lawsuits he gave as examples were Greenley v. Avis Budget Group and Mollaei v. Otonomo. Plaintiffs in the first case contend that the rental car company didn’t adequately protect drivers’ PII that was collected when they paired their devices with the rentals. The second case, which was dismissed Jan. 18, alleged the data broker collected and sold PII without consent from the owners.
In the Otonomo case, “the judge’s rationale was even though there wasn’t really much to decide the case on was that the case was [about] a built-in component and so technically it was not attached to the vehicle and that was the reasoning for the decision,” Pockers said.
Customer PII can also be sold unbeknownst to shop owners and employees. For example, at the July 2022 CIC meeting, Society of Collision Repair Specialists Executive Director Aaron Schulenburg said that 86% of all quoted collision repair data could be available for sale, including everything from full name, home address, email, cell number, VIN, and insurance carrier by a collision industry data aggregation company that’s providing or selling the data to at least one third-party company to sell the information back to the industry.
Stamford-based attorney and Silver Golub & Teitell partner Steven Bloch, said the chain of custody of PII should be of the utmost importance to shops.
“Understanding the information that you’re sharing with your industry partners and your vendors through your various license agreements and the other transactions that you’re conducting with them first and foremost, of course, is the protection of the customer’s PII and that’s effectively the concern of the shops.
“What are their responsibilities there? What are the rules of the road and how are they conducting their operations with respect to protecting that customer PII? Shops are the entry point for this data and they hold responsibility under the various developing laws and regulations. …Many of the statutes have intentional provisions. Lots of the statutes don’t hold the shops to that standard. There are standards of negligence or simply strict liability. Once that information has been breached or disclosed improperly without customer disclosure and authorization and consent there is liability and exposure for the shops.”
Customer disclosures should state how PII will be used and must be tied to a specific purpose, he added. Examples of license agreement language include:
“We certainly recommend all shops to concert with their legal professionals and other consulting analysts to review your current contracts and your license agreements to determine what it is that you’ve provided as far as permission to your industry partners and your vendors,” Bloch said.
Bloch and Pockers said shops should put together a list of standard operating procedures and best practices that meet state laws and potential federal legislation for what has to be included in customer disclosures and notifications, guidelines for protecting PII, and getting customer consent.
“There’s no perfect solution and no way to prevent the use of the transaction of data down the supply chain when it winds up in the hands of data brokers improperly but you’ve got to take every protective or preventive measure you can,” Bloch said.
Bloch said both law firms can work with shops on writing customer data use documentation and make sure that the shop owners understand the agreements they have with their business partners.
“We can arm you with the ability, and potentially negotiate on your behalf, new license agreements or at least addenda or side agreements so that you’re better protected with your business partners,” Bloch said.
According to The Post, Massachusetts, Iowa, Mississippi, Indiana, Oklahoma, Oregon, Tennessee, New York, and Kentucky have introduced so-called comprehensive privacy bills that set limits on what data companies can collect and how they can use it.
And legislators in five states — Connecticut, Oregon, West Virginia, Virginia, and New Jersey — are considering increased protections of children’s data.
Bills in New York, Mississippi, Maryland, Oregon, New Jersey, Virginia, and Washington target the protection of subsets of data including health and biometric information, or seek to put limitations on third-party data brokers.
Only five states to date have passed privacy laws covering a broad range of consumer data: California, Colorado, Connecticut, Utah, and Virginia, according to The Post.
Federal legislation may also be on the horizon based on a Wall Street Journal op-ed written by President Joe Biden in which he urged lawmakers to set “serious federal protections for Americans’ privacy,” including “clear limits on how companies can collect, use and share highly personal data,” heightened protections for “younger people,” and limits on targeted advertising.
Featured image credit: TU IS/iStock
Duane Morris attorney Lawrence H. Pockers and Silver Golub & Teitell partner Steven Bloch speak during a Collision Industry Conference (CIC) panel on Jan. 19, 2023.